Pennsylvania Breach of Personal Information Notification Act (73 P.S. § 2301 – § 2329) (Amended September 2024)

Pennsylvania Breach of Personal Information Notification Act

73 P.S. § 2301 – § 2330

 

CITATION:

Title 73 P.S. Trade and Commerce

Chapter 43. Breach of Personal Information Notification Act

73 P.S. PA ST Ch. 43, Refs & Annos

§ 2301. Short Title

§ 2302. Definitions

§ 2303. Notification of the Breach of the Security of the System

§ 2304. Exceptions

§ 2305. Notification of Consumer Reporting Agencies

§ 2305a. Encryption Required

§ 2305b. Data Storage Policy

§ 2305c. Entities Subject to the Health Insurance Portability and Accountability Act of 1996

§ 2306. Preemption

§ 2307. Notice Exemption

§ 2308. Civil Relief

§ 2329. Applicability

§ 2330. Effective Date

 

§ 2301. Short title

This act shall be known and may be cited as the Breach of Personal Information Notification Act.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 1, effective in 180 days [June 20, 2006].

73 P.S. § 2301, PA ST 73 P.S. § 2301

Current through Act 13 of the 2024 Regular Session. Some statute sections may be more current, see credits for details.

 

§ 2302. Definitions

The following words and phrases when used in this act shall have the meanings given to them in this section unless the context clearly indicates otherwise:

“Breach of the security of the system.” The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the entity and is not subject to further unauthorized disclosure.

“Business.” A sole proprietorship, partnership, corporation, association or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered or holding a license or authorization certificate under the laws of this Commonwealth, any other state, the United States or any other country, or the parent or the subsidiary of a financial institution. The term includes an entity that destroys records.

“Determination.” A verification or reasonable certainty that a breach of the security of the system has occurred.

“Discovery.” The knowledge of or reasonable suspicion that a breach of the security of the system has occurred.

“Encryption.” The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

“Entity.” A State agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth.

“Health insurance information.” An individual's health insurance policy number or subscriber identification number in combination with access code or other medical information that permits misuse of an individual's health insurance benefits.

“Individual.” A natural person.

“Medical information.” Any individually identifiable information contained in the individual's current or historical record of medical history or medical treatment or diagnosis created by a health care professional.

“Notice.” May be provided by any of the following methods of notification:

(1) Written notice to the last known home address for the individual.

(2) Telephonic notice, if the individual can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information but does not require the individual to provide personal information and the individual is provided with a telephone number to call or Internet website to visit for further information or assistance.

(3) E-mail notice, if a prior business relationship exists and the person or entity has a valid e-mail address for the individual.

(3.1) Electronic notice, if the notice directs the person whose personal information has been materially compromised by a breach of the security of the system to promptly change the person's password and security question or answer, as applicable, or to take other steps appropriate to protect the person's online account to the extent the entity has sufficient contact information for the person.

(4)(i) Substitute notice, if the entity demonstrates one of the following:

(A) The cost of providing notice would exceed $100,000.

(B) The affected class of subject persons to be notified exceeds 175,000.

(C) The entity does not have sufficient contact information.

(ii) Substitute notice shall consist of all of the following:

(A) E-mail notice when the entity has an e-mail address for the subject persons.

(B) Conspicuous posting of the notice on the entity's Internet website if the entity maintains one.

(C) Notification to major Statewide media.

“Personal information.”

(1) An individual's first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted:

(i) Social Security number.

(ii) Driver's license number or a State identification card number issued in lieu of a driver's license.

(iii) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account.

(iv) Medical information in the possession of a State agency or State agency contractor.

(v) Health insurance information.

(vi) A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

(2) The term does not include publicly available information that is lawfully made available to the general public from Federal, State or local government records or widely distributed media.

“Records.” Any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed or electromagnetically transmitted. The term does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address or telephone number.

“Redact.” The term includes, but is not limited to, alteration or truncation such that no more than the last four digits of a Social Security number, driver's license number, State identification card number or account number is accessible as part of the data.

“State agency.” Any agency, board, commission, authority or department of the Commonwealth and the General Assembly.

“State agency contractor.” A person, business, subcontractor or third party subcontractor that has a contract with a State agency for goods or services that requires access to personal information for the fulfillment of the contract.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 2, effective in 180 days [June 20, 2006]. Amended 2022, Nov. 3, P.L. 2139, No. 151, § 2, effective in 180 days [May 2, 2023]; 2024, June 28, P.L. 427, No. 33, § 1, effective in 90 days [Sept. 26, 2024].

73 P.S. § 2302, PA ST 73 P.S. § 2302

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2303. Notification of the breach of the security of the system

(a) General rule.--An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following determination of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Except as provided in section 41 or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system, the notice shall be made without unreasonable delay. For the purpose of this section, a resident of this Commonwealth may be determined to be an individual whose principal mailing address, as reflected in the computerized data which is maintained, stored or managed by the entity, is in this Commonwealth.

(a.1) Notification by State agency or State agency contractor.--

(1) If a State agency determines that it is the subject of a breach of the security of the system affecting personal information maintained by the State agency or State agency contractor, the State agency shall provide notice of the breach of the security of the system required under subsection (a) within seven business days following determination of the breach of the security of the system. Notification shall be provided concurrently to the Office of Attorney General.

(2) A State agency contractor shall, upon discovery of the breach of the security of the system, notify the chief information security officer, or a designee, of the State agency affected by the State agency contractor's breach of the security of the system as soon as reasonably practical, but no later than the time period specified in the applicable terms of the contract between the State agency contractor and the State agency of the breach of the security of the system.

(3) A State agency under the Governor's jurisdiction shall also provide notice of a breach of the security of the system to the Governor's Office of Administration within three business days following the determination of the breach of the security of the system. Notification shall occur notwithstanding the existence of procedures and policies under section 7.2

(4) A State agency that, after the effective date of this section, enters into a contract which involves the use of personal information with a State agency contractor shall ensure that the contract includes provisions relating to the State agency contractor's compliance with this act.

(a.2) Notification by county, public school or municipality.--If a county, public school or municipality is the subject of a breach of the security of the system, the county, public school or municipality shall provide notice of the breach of the security of the system required under subsection (a) within seven business days following determination of the breach of the security of the system. Notification shall be provided to the district attorney in the county where the breach of the security of the system occurred within three business days following determination of the breach of the security of the system. Notification shall occur notwithstanding the existence of procedures and policies under section 7.

(a.3) Electronic notification.--In the case of a breach of the security of the system involving personal information for a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, the entity, to the extent that it has sufficient contact information for the person, may comply with this section by providing the breach of the security of the system notification in electronic or other form that directs the person whose personal information has been materially compromised by the breach of the security of the system to promptly change the person's password and security question or answer, as applicable or to take other steps appropriate to protect the online account with the entity and other online accounts for which the person whose personal information has been materially compromised by the breach of the security of the system uses the same user name or e-mail address and password or security question or answer.

(a.4) Affected individuals.--In the case of a breach of the security of the system involving personal information of an individual's user name or e-mail address in combination with a password or security question and answer that would permit access to an online account, the State agency contractor may comply with this section by providing a list of affected residents of this Commonwealth and their valid e-mail addresses, if known, to the State agency subject of the breach of the security of the system.

(b) Encrypted information.--An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key.

(c) Vendor notification.--A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security of the system following discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity shall be responsible for making the determinations and discharging any remaining duties under this act.

(c.1) Notice to Attorney General.--When notice of the breach of the security of the system under this section must be given to more than 500 affected individuals in this Commonwealth, notice shall be made concurrently to the Office of Attorney General. Notice to the Attorney General shall include the following information to the extent known by the notifying entity:

(1) The organization name and location.

(2) The date of the breach of the security of the system.

(3) A summary of the breach incident of the security of the system.

(4) An estimated total number of individuals affected by the breach of the security of the system.

(5) An estimated total number of individuals in this Commonwealth affected by the breach of the security of the system.

(c.2) Exemption.--An entity subject to the requirements of 40 Pa.C.S. Ch. 45 (relating to insurance data security) shall be exempt from the notice requirements under subsection (c.1).

(d) Definitions.--As used in this section, the term “public school” means any school district, intermediate unit, charter school, cyber charter school or area career and technical school.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 3, effective in 180 days [June 20, 2006]. Amended 2022, Nov. 3, P.L. 2139, No. 151, § 3, effective in 180 days [May 2, 2023]; 2024, June 28, P.L. 427, No. 33, § 1.1, effective in 90 days [Sept. 26, 2024].

Footnotes

1

73 P.S. § 2304.

2

73 P.S. § 2307.

73 P.S. § 2303, PA ST 73 P.S. § 2303

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2304. Exceptions

The notification required by this act may be delayed if a law enforcement agency determines and advises the entity in writing specifically referencing this section that the notification will impede a criminal or civil investigation. The notification required by this act shall be made after the law enforcement agency determines that it will not compromise the investigation or national or homeland security.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 4, effective in 180 days [June 20, 2006].

73 P.S. § 2304, PA ST 73 P.S. § 2304

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2305. Notification of consumer reporting agencies

When an entity provides notification under this act to more than 500 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in section 603 of the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a), of the timing, distribution and number of notices.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 5, effective in 180 days [June 20, 2006]. Amended 2024, June 28, P.L. 427, No. 33, § 2, effective in 90 days [Sept. 26, 2024].

73 P.S. § 2305, PA ST 73 P.S. § 2305

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2305a. Encryption required

(a) General rule.--An entity that maintains, stores or manages computerized data on behalf of the Commonwealth that constitutes personal information shall utilize encryption, or other appropriate security measures, to reasonably protect the transmission of personal information over the Internet from being viewed or modified by an unauthorized third party.

(b) Transmission policy.--An entity that maintains, stores or manages computerized data on behalf of the Commonwealth that constitutes personal information shall develop and maintain a policy to govern the proper encryption or other appropriate security measures and transmission of data by State agencies.

(c) Considerations.--In developing the policy, an entity shall reasonably consider similar existing Federal policies and other policies, best practices identified by other states and relevant studies and other sources as appropriate in accordance with best practices as established by the Federal Government and the Commonwealth.

(d) Review and update.--The policy shall be reviewed at least annually and updated as necessary.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 5.1, added 2022, Nov. 3, P.L. 2139, No. 151, § 4, effective in 180 days [May 2, 2023].

73 P.S. § 2305a, PA ST 73 P.S. § 2305a

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2305b. Data storage policy

(a) Storage policy.--An entity that maintains, stores or manages computerized data on behalf of the Commonwealth that constitutes personal information shall develop a policy to govern reasonably proper storage of the personal information. A goal of the policy shall be to reduce the risk of future breaches of the security of the system.

(b) Considerations.--In developing the policy, an entity shall reasonably consider similar existing Federal policies and other policies, best practices identified by other states and relevant studies and other sources as appropriate in accordance with best practices as established by the Federal Government and the Commonwealth.

(c) Review and update.--The policy shall be reviewed at least annually and updated as necessary.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 5.2, added 2022, Nov. 3, P.L. 2139, No. 151, § 4, effective in 180 days [May 2, 2023].

73 P.S. § 2305b, PA ST 73 P.S. § 2305b

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2305c. Entities subject to the Health Insurance Portability and Accountability Act of 1996

Any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic personal health information established under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191, 110 Stat. 1936)1 and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5, 123 Stat. 226-279 and 467-496)2 shall be deemed to be in compliance with the provisions of this act.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 5.3, added 2022, Nov. 3, P.L. 2139, No. 151, § 4, effective in 180 days [May 2, 2023].

Footnotes

1

See 29 U.S.C.A. § 1181 et seq.

2

See 42 U.S.C.A. §§ 300jj et seq., 17901 et seq.

73 P.S. § 2305c, PA ST 73 P.S. § 2305c

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2306. Preemption

This act deals with subject matter that is of Statewide concern, and it is the intent of the General Assembly that this act shall supersede and preempt all rules, regulations, codes, statutes or ordinances of all cities, counties, municipalities and other local agencies within this Commonwealth regarding the matters expressly set forth in this act.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 6, effective in 180 days [June 20, 2006].

73 P.S. § 2306, PA ST 73 P.S. § 2306

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2307. Notice exemption

(a) Information privacy or security policy.--An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information and is consistent with the notice requirements of this act shall be deemed to be in compliance with the notification requirements of this act if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(b) Compliance with Federal requirements.--

(1) A financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with this act.

(2) An entity, a State agency or a State agency's contractor that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entity's, State agency's or State agency's contractor's primary State or functional Federal regulator, shall be in compliance with this act.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 7, effective in 180 days [June 20, 2006]. Amended 2022, Nov. 3, P.L. 2139, No. 151, § 5, effective in 180 days [May 2, 2023].

73 P.S. § 2307, PA ST 73 P.S. § 2307

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2308. Civil relief

A violation of this act shall be deemed to be an unfair or deceptive act or practice in violation of the act of December 17, 1968 (P.L. 1224, No. 387),1 known as the Unfair Trade Practices and Consumer Protection Law. The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of this act.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 8, effective in 180 days [June 20, 2006].

Footnotes

1

73 P.S. § 201-1 et seq.

73 P.S. § 2308, PA ST 73 P.S. § 2308

Current through Act 151 of the 2024 Regular Session. Some statute sections may be more current, see credits for details

 

§ 2329. Applicability

This act shall apply to the determination or notification of a breach of the security of the system that occurs on or after the effective date of this section.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 29, effective in 180 days [June 20, 2006]. Amended 2022, Nov. 3, P.L. 2139, No. 151, § 5, effective in 180 days [May 2, 2023].

73 P.S. § 2329, PA ST 73 P.S. § 2329

Current through Act 13 of the 2024 Regular Session. Some statute sections may be more current, see credits for details.

 

§ 2330. Effective date

This act shall take effect in 180 days.

Credits

2005, Dec. 22, P.L. 474, No. 94, § 30, effective in 180 days [June 20, 2006].

73 P.S. § 2330, PA ST 73 P.S. § 2330

Current through Act 13 of the 2024 Regular Session. Some statute sections may be more current, see credits for details.

 

Breach of Personal Information Notification Act (Pennsylvania Consolidated Statutes, Title 73, Sec. 2301 through 2329, added by Laws of 2005, Act 94, approved December 22, 2005, effective June 20, 2006.)

 

For more information, see here:  https://govt.westlaw.com/pac/Browse/Home/Pennsylvania/UnofficialPurdonsPennsylvaniaStatutes?guid=N9B3F41908C4F11DA86FC8D90DD1949D4&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)

AND

https://www.legis.state.pa.us/WU01/LI/LI/US/HTM/2005/0/0094..HTM

 

These materials were obtained directly from the U.S. State Legislative websites and are posted here for your review and reference only.  No Claim to Original U.S. State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.

These materials were obtained directly from the U.S. Federal Government public websites, U.S. State Government public websites, or the International Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works, Original U.S. State Government Works, or Original International Government Works. This information may not be the most recent version. The U.S. Government, U.S. States, or International Governments may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.